Opened 7 years ago

Closed 7 years ago

Last modified 4 years ago

#28741 closed Cleanup/optimization (fixed)

Remove unnecessary leading dot from cross-domain cookie examples

Reported by: Niels van Huijstee Owned by: nobody
Component: Documentation Version: 1.11
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

When I set CSRF_COOKIE_DOMAIN / SESSION_COOKIE_DOMAIN to a domain, like "example.com", (no leading dot), the cookies are set to ".example.com" (with leading dot). To me, this is not clear from the docs, so this is either an undocumented feature or unintended behavior.

Change History (6)

comment:1 by Tim Graham, 7 years ago

Has patch: set
Summary: CSRF_COOKIE_DOMAIN / SESSION_COOKIE_DOMAIN are always cross domainRemove unnecessary leading dot from cross-domain cookie examples
Triage Stage: UnreviewedAccepted
Type: BugCleanup/optimization

From Mozilla's documentation for the Set-Cookie header: "Contrary to earlier specifications, leading dots in domain names are ignored. If a domain is specified, subdomains are always included."

PR

comment:2 by GitHub <noreply@…>, 7 years ago

Resolution: fixed
Status: newclosed

In afd375f:

Fixed #28741 -- Removed unnecessary leading dot from cross-domain cookie examples.

comment:3 by Tim Graham <timograham@…>, 7 years ago

In cd37e47:

[2.0.x] Fixed #28741 -- Removed unnecessary leading dot from cross-domain cookie examples.

Backport of afd375fc343baa46e61036087bc43b3d096bb0ca from master

comment:4 by Tim Graham, 4 years ago

It turns out that some of these leading dots are necessary for CSRF protection (see #32065 and PR).

comment:5 by Mariusz Felisiak <felisiak.mariusz@…>, 4 years ago

In 2e7ba605:

Refs #28741 -- Doc'd SESSION_COOKIE_DOMAIN requirement with CSRF_USE_SESSIONS.

Similar considerations as refs #32065, again adding some nuance to
afd375fc343baa46e61036087bc43b3d096bb0ca.

comment:6 by Mariusz Felisiak <felisiak.mariusz@…>, 4 years ago

In f4db2d1:

[3.1.x] Refs #28741 -- Doc'd SESSION_COOKIE_DOMAIN requirement with CSRF_USE_SESSIONS.

Similar considerations as refs #32065, again adding some nuance to
afd375fc343baa46e61036087bc43b3d096bb0ca.

Backport of 2e7ba6057cfc82a15a22b6021cd60cf307152e2d from master

Note: See TracTickets for help on using tickets.
Back to Top